Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

List of not used transactions

Former Member
0 Kudos

Hi,

Is there any possibility to find the list of not used transactions in SAP system from the past three months?

We got this requirement for locking the list of not used customized transactions.

Please suggest in this.

Thanks & Regards,

KKRao.

1 ACCEPTED SOLUTION

sdipanjan
Active Contributor
0 Kudos

As much as i can remember, a similar kind of thread was discussed before in this forum. Can you please do a search?

Regards,

Dipanjan

20 REPLIES 20

Former Member
0 Kudos

Think about it a while... -> is the real problem that the role design is the problem and users have access to things which they should not have?

Locking transactions does not work (you will never find them all nor all possible navigation means) and will cause problems (transactions which appear not to be used will block the system from working properly).

Bad idea. As security you should advise your requirement against doing this.

Cheers,

Julius

0 Kudos

Hi Julius,

If in case i need to find out the least used transactions ?

how do i find the list of least used transactions , is there any transaction or report , please let me know.

Many thanks,

Sanketh.

0 Kudos

Download TADIR transactions to Excel.

Download SM20N transactions to Excel for the period you want and filter by the number of entries per transaction and sort decending.

=> Most used at the top, least used at the bottom.

Now do a REFERENCE check on the TADIR download for transactions not in the SM20N list.

=> Not used during that period.

But this is not bullet-proof, as report transactions can be started directly and might also have the check in them, etc.

Still not sure why you would want this, other than taking a shortcut (in security).

Analyzing business processes and transaction flows and performance is a different topic though, and perhaps best suited to a general ERP forum.

Cheers,

Julius

sdipanjan
Active Contributor
0 Kudos

As much as i can remember, a similar kind of thread was discussed before in this forum. Can you please do a search?

Regards,

Dipanjan

Former Member
0 Kudos

>

> Hi,

>

> Is there any possibility to find the list of not used transactions in SAP system from the past three months?

>

> We got this requirement for locking the list of not used customized transactions.

>

> Please suggest in this.

>

> Thanks & Regards,

> KKRao.

You can execute ST03N -> Expert Mode -> Total -> Month -> then in the below window -> Click on Memory use statistics -> you will get the list of t-codes that has been executed in that month.

You might have to check with your Basis team for the amount of data they keep before deleting or archiving it.

0 Kudos

What a lot of basis admins don't know is that ST03N aggregates the data and in an obscure function module "translates" the transaction context into symbolic ones.

It is not the correct tool, even although it appears at first to be usefull - and is, for other purposes.

Don't be surprised if you cause a mess!

Security is about granting access and testing it - functionally and negative testing for security.

Depending on your install and processes and functional consulting skills, this can be smooth sailing or a rough ride.

> List of not used transactions

The subject title says it all...

Cheers,

Julius

0 Kudos

ST03N will not give you all the transactions executed. I'm not exactly sure but I think it's based on workload threshold.

If you have security auditing setup in SM19 you can run SM20 or SM20N as Julius stated. Make sure you select "transaction start" and under the format tab set the desired maximum number of pages. Then just do the needful

0 Kudos

To my knowledge it is a combination of aggregating the data and translating certain transactions and reports into symbolic ones.

ST03N data is intended for performance analysis and monitoring of the system. It's use for security is co-incidental and should not be relied upon.

Cheers,

Julius

0 Kudos

>

> What a lot of basis admins don't know is that ST03N aggregates the data and in an obscure function module "translates" the transaction context into symbolic ones.

>

> It is not the correct tool, even although it appears at first to be usefull - and is, for other purposes.

>

> Don't be surprised if you cause a mess!

>

> Security is about granting access and testing it - functionally and negative testing for security.

>

> Depending on your install and processes and functional consulting skills, this can be smooth sailing or a rough ride.

>

> > List of not used transactions

> The subject title says it all...

>

> Cheers,

> Julius

Maybe we are going off the track but If a tool is helpful in giving information and if the information is correct then i will use it even if it was not intended for that purpose.

Workload monitor can be used to display the Workload and transactions used listed by users. Please let me know where is it stated that it cannot be used for that purpose and I will stop recommending and using it for this purpose.

Regarding SM20. How may systems have SM19 configuration for all users for the transaction start. I know SM20 is a better tool but most of the companies configure it only for their Firecall user ids and not all the user ids. If they do that is good but if they have not done it then I just wanted to let know there are other options.

Regarding giving access to t-codes that are needed, I fully agree with it but face it ..it is not just 1 Security Admin always in any companies life time and not everybody has same skill level, so there will always be things that should not be there.

0 Kudos

Hi Nishant,

Lets put it this way => STAD is usefull if you are fast enough.

The problem with ST03N is that (to my understanding) the purpose is response times of the application server and the frontend and system load. It is also very usefull for the client and server RFC calls.

But in both cases you cannot take it at face value as the data is aggregated and background jobs are renamed (their tcodes), as well as archiving and RFC calls which might include sessions which are interactive with the SAPGui. Or... the users are not using the SAPGui, but rather an ABAP function wrapped in a service, etc.

My point is only that you can use this data, not you should not rely on it as information to build roles with or, as most posts of this kind intend, to lock transaction codes in SM01.

> Regarding SM20. How may systems have SM19 configuration for all users for the transaction start.

Yes, this is true. But the only difference is that ST03N data is configured for you by the stat collector job. For the audiot log you actually have to know what you are doing and what you want to do with it.

With 100k users starting all sorts of transactions which are navigating all over the place... what other reliable means is there to analyze it. You cannot wish the user activity away to make it easier - you can only user the selection filters if you know what you are looking for.

<continued in next post due to formatting restrictions....>

Edited by: Julius Bussche on Sep 11, 2009 9:23 PM

0 Kudos

<... continued....>

> Regarding giving access to t-codes that are needed, I fully agree with it but face it ..it is not just 1 Security Admin always in any companies life time and not everybody has same skill level, so there will always be things that should not be there.

Yes, that is true of all professions, but it does depend on the risk involved and the effort (in the long run) to maintain a mess.

Imagine a surgeon operating on you who is using 50% guess-work about where your mouth is (SU24) and where your stomach is (PFCG) - lets leave SU56 out of scope for now. And leaving some of the scalpels and wadding inside you when stitching you back together again?

Or a nuclear power plant run by freshers?

Or a multi-billion $ business which is toasted by an untrained basis admin who locks a transaction because it was not found in ST03N... and brings the production plant to a standstill and corrupts a whole bunch of other process' data relying on it but still updating because the user has SAP_ALL, etc. That is what I meant by "big mess".

I think your "tolerance" for errors belittles the fact that a significant number of the worlds transaction processing runs through a SAP system at some point in time. This is not just a little experiment for many customers. It is important to them.

It sort of implies that load distribution of diverse errors has decreasing returns to scale - with standards based initiatives this cannot hold true. At least I sincerely hope not.

I have seen a few messes in my time, but well trained folks who use the correct tools make much less of them.

Having said the above, I do use ST03N. But I do not rely on it.

Cheers,

Julius

0 Kudos

Hi Julius,

All of us agree that we should create roles as per the required functionality and the t-codes required in them. Locking the inactive t-code whether you find it through SM20 or ST03N is not a good practise on the belief that when t-code was added in the first place there should have been reason to add it.

what if there are t-codes that are not needed regularly but needed to stay in role..say for example OB52 that is only required when you have to open and close posting period. Again people can say we should put the t-codes that are not required always in a some kind of Super role and give it on a super user id...and there could be a few solution depending on the Business requirement.

So the best thing to do for this security admin would be to take a dump of all the production roles and the t-codes each contain and go through the respecive functional SME's to understand whether the t-code is needed or not needed. if not needed get it removed from the role. And he can take help of SM20 or ST03N to find the the tcodes that are not used frequently to shorten his list of tcodes and ask about them specifically to the respective SME's or Business approvers.

0 Kudos

>Locking the inactive t-code whether you find it through SM20 or ST03N is not a good practise on the belief that when t-code was added in the first place there should have been reason to add it.

I agree with you. Take a look at the original question in this thread.

This is not only limited to transactions in the role menu or S_TCODE.

However S_TCODE is a SAPGui capable entry point. There are others -> imagine "locking" a BAPI because no one called it remotely? Again here, you can easily make mistakes in ST03N.

Cheers,

Julius

0 Kudos

>

I know SM20 is a better tool but most of the companies configure it only for their Firecall user ids and not all the user ids.

None of the companies I have consulted at or audited over the last 10 years have only used audit log for firecall ID's. It would be a deficiency if it had been switched on but used to track wide access ID's

0 Kudos

It is also very usefull to carefull design what you use static profiles for, and what you want to use dynamically in the system landscape.

It really is a great security tool - not only limited to auditing.

Cheers,

Julius

0 Kudos

I couldn't agree more. It's such a useful tool & if the archiving of the logs is managed correctly, filespace concerns are minimal.

0 Kudos

I had exactly similar situation in my previous project.

They had Tidal software installed and it reports exactly what you are asking for.

You can select user, and a period of three or six months etc.

In return you will get list of all the transactions the user is assigned along with the CPU time utilized withing each transaction.

This you can sort in excell to see what transactions were used the most, least or not used at all.

After discussing with relevant BPOs or functional team you can get approval and remove the unused transactions from those roles.

This should resolve your issues.

0 Kudos

Hi Ziauddin,

It would appear that the tool reads standard logs, making it a bit easier to identify the information (within the period of the logging).

From a usability perspective does it offer much over using the standard tools like ST03N or the Audit Log?

Former Member
0 Kudos

This message was moderated.

Former Member
0 Kudos

Hello Rao,

Is Compliance Calibrator installed in ur org. If yes, then there is one utility which was created for this very puspose.

Regards,

Surpreet